EDRSilencer: uses WFP to block EDR agents from reporting security events to the server

by do son · Published · Updated

block Endpoint Detection and Response

EDRSilencer

Inspired by the closed-source FireBlock tool FireBlock from MdSec NightHawk, I created my version. This tool was created to block the outbound traffic of running EDR processes using Windows Filtering Platform (WFP) APIs.

This tool offers the following features:

  • Search known running EDR processes and add WFP filter to block its outbound traffic
  • Add WFP filter for a specific process
  • Remove all WFP filters created by this tool
  • Remove a specific WFP filter by filter id
  • Support to run in C2 with in-memory PE execution module (e.g., BruteRatel's memexec)

The tool currently supports the following EDRs:

  • Microsoft Defender for Endpoint and Microsoft Defender Antivirus
  • Elastic EDR
  • Trellix EDR
  • Qualys EDR
  • SentinelOne
  • Cylance
  • Cybereason
  • Carbon Black EDR
  • Carbon Black Cloud
  • Tanium
  • Palo Alto Networks Traps/Cortex XDR
  • FortiEDR
  • Cisco Secure Endpoint (Formerly Cisco AMP)

Use

Usage: EDRSilencer.exe <blockedr/block/unblockall/unblock>
– Add WFP filters to block the IPv4 and IPv6 outbound traffic of all detected EDR processes:
EDRSilencer.exe blockedr

– Add WFP filters to block the IPv4 and IPv6 outbound traffic of a specific process (full path is required):
EDRSilencer.exe block “C:\Windows\System32\curl.exe”

– Remove all WFP filters applied by this tool:
EDRSilencer.exe unblockall

– Remove a specific WFP filter based on filter id:
EDRSilencer.exe unblock <filter id>

Example

Detect and block the outbound traffic of running EDR processes

EDRSilencer.exe blocked

Download

Copyright (c) 2023 Chris Au